-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Douglas E. Engert wrote: > Your problem is more of an OpenAFS problem in how it has to use > DES. You should be ask on the OpenAFS list, as there > have been similar issues before on setting up the afs/cell > principal.
Maybe, maybe not. As it works with 2003, it is somehow problem of 2008R2 sending out the correct DES enctypes. >>>>> What user are you using with the kinit? > > I did used the users with "use DES enctypes" enabled. > >> Only the AD account for the afs and afs/cell principals >> need to have DES. All others can use the defaults. Ok, good to know. > Now I tried with the users without this function enabled and I get > tickets. But no tokens :-( > Error: > adiotest:~# kinit schimmer > Password for [email protected]: > adiotest:~# aklog > aklog: Couldn't get cgv.tugraz.at AFS tickets: > aklog: unknown RPC error (-1765328370) while getting AFS tickets > adiotest:~# tokens > > >> aklog -d will show some debug output. > >> What versions of OpenAFS and Kerberos are running on the client? OpenAFS 1.4.11 from lenny-backports and krb5-user: Installed: 1.8+dfsg~alpha1-7 On Win7 netID manager 1.3.1.0 > Tokens held by the Cache Manager: > > --End of list-- > adiotest:~# > > klist -e > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: [email protected] > > Valid starting Expires Service principal > 03/10/10 10:18:24 03/11/10 10:18:24 krbtgt/[email protected] > Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5 > > So looks like no DES enctype for OpenAFS. > >> You also said in a previous note: > > I set on the Win 2008R2: > - Add a REG_DWORD (32 bit) named KdcUseRequestedEtypesForTickets with > value 1 at HKLM\SYSTEM\CurrentControlSet\services\kdc. > - In the DC's Local Security Policy, I enabled all ciphers by checking > all 6 boxes at Security Settings \ Local Policies \ Security Options \ > "Network security: Configure encryption types allowed for Kerberos" > - I set "use DES enctypes" for some test users (it was enabled for the > afs service principal) > > >> I don't recall asking our AD admin to make these registry changes in 2008 >> to get AFS to work. This may be your problem. It may override >> the ADS_UF_USE_DES_KEY_ONLY in the UserAccountControl attribute in the >> account. Hm.Other guys told me I have re re-enable the DES enctypes to use server with OpenAFS again. But if the settings in the AD says "enable DES" - it should be the same as "use DES enctypes" in the account, isn't it? >> On the afs service account what are the values of the >> msDS-SupportedEncryptionTypes, UserAccountControl and msDS-KeyVersionNumber >> attributes? > >> http://msdn.microsoft.com/en-us/library/cc223853(PROT.13).aspx >> http://msdn.microsoft.com/en-us/library/ms680832(VS.85).aspx Got me - where to change those parts, in the account dteails of the domain I do not see those. Thank you so far. MfG, Lars Schimmer - -- - ------------------------------------------------------------- TU Graz, Institut für ComputerGraphik & WissensVisualisierung Tel: +43 316 873-5405 E-Mail: [email protected] Fax: +43 316 873-5402 PGP-Key-ID: 0x4A9B1723 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkufk5oACgkQmWhuE0qbFyPMwgCfbfmIFbipTsbkR6tH+kQQjUuO JB0AnRmn4vv/P6z9RoTf3RB1M1mhWtyH =7LNa -----END PGP SIGNATURE----- ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
